Merge branch 'master' into full-post-to-oss-security

Conflicts: doc/release/security.md

Merge branch 'master' into full-post-to-oss-security
Conflicts: doc/release/security.md
Sytse Sijbrandij
2 parents 250a86d2 6cc3cc51
Showing 25 changed files with 344 additions and 29 deletions Show diff stats
CHANGELOG
VERSION
app/assets/stylesheets/gitlab_bootstrap/common.scss
app/assets/stylesheets/gitlab_bootstrap/forms.scss
app/contexts/files/delete_context.rb
app/controllers/projects/blob_controller.rb
app/views/projects/blob/_actions.html.haml
app/views/projects/blob/_remove.html.haml
app/views/projects/blob/show.html.haml
app/views/snippets/_form.html.haml
app/views/snippets/_snippet.html.haml
config/routes.rb
doc/api/projects.md
doc/api/repositories.md
doc/release/security.md
features/steps/snippets/snippets.rb
lib/api/files.rb
lib/api/projects.rb
lib/gitlab/satellite/files/delete_file_action.rb
lib/gitlab/satellite/files/edit_file_action.rb
@@ -9,6 +9,7 @@ v 6.3.0
   - Fixed issue with 500 error when group did not exist
   - Ability to leave project
   - You can create file in repo using UI
+  - You can remove file from repo using UI
   - API: dropped default_branch attribute from project during creation
   - Project default_branch is not stored in db any more. It takes from repo now.
   - Admin broadcast messages
@@ -16,8 +17,26 @@ v 6.3.0
   - Dont show last push widget if user removed this branch
   - Fix 500 error for repos with newline in file name
   - Extended html titles
-  - API: create/update repo files
+  - API: create/update/delete repo files
   - Admin can transfer project to any namespace
+  - API: projects/all for admin users
+  - Fix recent branches order
+
+v 6.2.4
+  - Security: Cast API private_token to string (CVE-2013-4580)
+  - Security: Require gitlab-shell 1.7.8 (CVE-2013-4581, CVE-2013-4582, CVE-2013-4583)
+  - Fix for Git SSH access for LDAP users
+
+v 6.2.3
+  - Security: More protection against CVE-2013-4489
+  - Security: Require gitlab-shell 1.7.4 (CVE-2013-4490, CVE-2013-4546)
+  - Fix sidekiq rake tasks
+
+v 6.2.2
+  - Security: Update gitlab_git (CVE-2013-4489)
+
+v 6.2.1
+  - Security: Fix issue with generated passwords for new users
 v 6.2.0
   - Public project pages are now visible to everyone (files, issues, wik, etc.)
@@ -104,6 +123,14 @@ v 6.0.0
   - Improved MR comments logic
   - Render readme file for projects in public area
+v 5.4.2
+  - Security: Cast API private_token to string (CVE-2013-4580)
+  - Security: Require gitlab-shell 1.7.8 (CVE-2013-4581, CVE-2013-4582, CVE-2013-4583)
+
+v 5.4.1
+  - Security: Fixes for CVE-2013-4489
+  - Security: Require gitlab-shell 1.7.4 (CVE-2013-4490, CVE-2013-4546)
+
 v 5.4.0
   - Ability to edit own comments
   - Documentation improvements
-6.3.0.pre
+6.3.0.beta1
@@ -93,6 +93,12 @@ pre.well-pre {
   font-size: 12px;
   font-style: normal;
   font-weight: normal;
+
+  &.label-gray {
+    background-color: #eee;
+    color: #999;
+    text-shadow: none;
+  }
 }
 /** Big Labels **/
@@ -3,6 +3,16 @@ form {
   label {
     @extend .control-label;
+
+    &.radio-label {
+      text-align: left;
+      width: 100%;
+      margin-left: 0;
+
+      input[type="radio"] {
+        margin-top: 1px !important;
+      }
+    }
   }
 }
@@ -0,0 +1,38 @@
+module Files
+  class DeleteContext < BaseContext
+    def execute
+      allowed = if project.protected_branch?(ref)
+                  can?(current_user, :push_code_to_protected_branches, project)
+                else
+                  can?(current_user, :push_code, project)
+                end
+
+      unless allowed
+        return error("You are not allowed to push into this branch")
+      end
+
+      unless repository.branch_names.include?(ref)
+        return error("You can only create files if you are on top of a branch")
+      end
+
+      blob = repository.blob_at(ref, path)
+
+      unless blob
+        return error("You can only edit text files")
+      end
+
+      delete_file_action = Gitlab::Satellite::DeleteFileAction.new(current_user, project, ref, path)
+
+      deleted_successfully = delete_file_action.commit!(
+        nil,
+        params[:commit_message]
+      )
+
+      if deleted_successfully
+        success
+      else
+        error("Your changes could not be commited, because the file has been changed")
+      end
+    end
+  end
+end
@@ -7,9 +7,30 @@ class Projects::BlobController &lt; Projects::ApplicationController
   before_filter :authorize_code_access!
   before_filter :require_non_empty_project
+  before_filter :blob
+
   def show
-    @blob = @repository.blob_at(@commit.id, @path)
+  end
+
+  def destroy
+    result = Files::DeleteContext.new(@project, current_user, params, @ref, @path).execute
+
+    if result[:status] == :success
+      flash[:notice] = "Your changes have been successfully commited"
+      redirect_to project_tree_path(@project, @ref)
+    else
+      flash[:alert] = result[:error]
+      render :show
+    end
+  end
+
+  private
+
+  def blob
+    @blob ||= @repository.blob_at(@commit.id, @path)
+
+    return not_found! unless @blob
-    not_found! unless @blob
+    @blob
   end
 end
@@ -4,7 +4,7 @@
     - if allowed_tree_edit?
       = link_to "edit", project_edit_tree_path(@project, @id), class: "btn btn-small"
     - else
-      %span.btn.btn-small.disabled Edit
+      %span.btn.btn-small.disabled edit
   = link_to "raw", project_raw_path(@project, @id), class: "btn btn-small", target: "_blank"
   -# only show normal/blame view links for text files
   - if @blob.text?
@@ -13,3 +13,7 @@
     - else
       = link_to "blame", project_blame_path(@project, @id), class: "btn btn-small" unless @blob.empty?
   = link_to "history", project_commits_path(@project, @id), class: "btn btn-small"
+
+  - if allowed_tree_edit?
+    = link_to '#modal-remove-blob', class: "remove-blob btn btn-small btn-remove", "data-toggle" => "modal" do
+      remove
@@ -0,0 +1,19 @@
+%div#modal-remove-blob.modal.hide
+  .modal-header
+    %a.close{href: "#", "data-dismiss" => "modal"} ×
+    %h3.page-title Remove #{@blob.name}
+    %p.light
+      From branch
+      %strong= @ref
+
+  .modal-body
+    = form_tag project_blob_path(@project, @id), method: :delete do
+      .control-group.commit_message-group
+        = label_tag 'commit_message', class: "control-label" do
+          Commit message
+        .controls
+          = text_area_tag 'commit_message', params[:commit_message], placeholder: "Removed this file because...", required: true, rows: 3
+      .control-group
+        .controls
+          = submit_tag 'Remove file', class: 'btn btn-remove'
+          = link_to "Cancel", '#', class: "btn btn-cancel", "data-dismiss" => "modal"
@@ -2,3 +2,6 @@
   = render 'shared/ref_switcher', destination: 'blob', path: @path
 %div#tree-holder.tree-holder
   = render 'blob', blob: @blob
+
+- if allowed_tree_edit?
+  = render 'projects/blob/remove'
@@ -13,9 +13,20 @@
       = f.label :title
       .controls= f.text_field :title, placeholder: "Example Snippet", class: 'input-xlarge', required: true
     .control-group
-      = f.label "Private?"
+      = f.label "Access"
       .controls
-        = f.check_box :private, {class: ''}
+        = f.label :private_true, class: 'radio-label' do
+          = f.radio_button :private, true
+          %span
+            %strong Private
+            (only you can see this snippet)
+        %br
+        = f.label :private_false, class: 'radio-label' do
+          = f.radio_button :private, false
+          %span
+            %strong Public
+            (GitLab users can can see this snippet)
+
     .control-group
       .file-editor
         = f.label :file_name, "File"
@@ -33,9 +44,10 @@
       - else
         = f.submit 'Save', class: "btn-save btn"
-      = link_to "Cancel", snippets_path(@project), class: "btn btn-cancel"
       - unless @snippet.new_record?
-        .pull-right= link_to 'Destroy', snippet_path(@snippet), confirm: 'Removed snippet cannot be restored! Are you sure?', method: :delete, class: "btn pull-right danger delete-snippet", id: "destroy_snippet_#{@snippet.id}"
+        .pull-right.prepend-left-20
+          = link_to 'Remove', snippet_path(@snippet), confirm: 'Removed snippet cannot be restored! Are you sure?', method: :delete, class: "btn btn-remove delete-snippet", id: "destroy_snippet_#{@snippet.id}"
+      = link_to "Cancel", snippets_path(@project), class: "btn btn-cancel"
 :javascript
@@ -3,7 +3,7 @@
     = link_to reliable_snippet_path(snippet) do
       = truncate(snippet.title, length: 60)
       - if snippet.private?
-        %span.label.label-success
+        %span.label.label-gray
           %i.icon-lock
           private
     %span.cgray.monospace.tiny.pull-right
@@ -173,7 +173,7 @@ Gitlab::Application.routes.draw do
     end
     scope module: :projects do
-      resources :blob,      only: [:show], constraints: {id: /.+/}
+      resources :blob,      only: [:show, :destroy], constraints: {id: /.+/}
       resources :raw,       only: [:show], constraints: {id: /.+/}
       resources :tree,      only: [:show], constraints: {id: /.+/, format: /(html|js)/ }
       resources :edit_tree, only: [:show, :update], constraints: {id: /.+/}, path: 'edit'
@@ -2,7 +2,7 @@
 ### List projects
-Get a list of projects owned by the authenticated user.
+Get a list of projects accessible by the authenticated user.
 ```
 GET /projects
@@ -82,6 +82,22 @@ GET /projects
 ```
+#### List owned projects
+
+Get a list of projects owned by the authenticated user.
+
+```
+GET /projects/owned
+```
+
+#### List ALL projects
+
+Get a list of all GitLab projects (admin only).
+
+```
+GET /projects/all
+```
+
 ### Get single project
 Get a specific project, identified by project ID or NAMESPACE/PROJECT_NAME , which is owned by the authentication user.
@@ -397,3 +397,15 @@ Parameters:
 + `branch_name` (required) - The name of branch
 + `content` (required) - New file content
 + `commit_message` (required) - Commit message
+
+## Delete existing file in repository
+
+```
+DELETE /projects/:id/repository/files
+```
+
+Parameters:
+
++ `file_path` (required) - Full path to file. Ex. lib/class.rb
++ `branch_name` (required) - The name of branch
++ `commit_message` (required) - Commit message
@@ -13,12 +13,14 @@ Please report suspected security vulnerabilities in private to support@gitlab.co
 1. Verify that the issue can be repoduced
 1. Acknowledge the issue to the researcher that disclosed it
-1. Fix the issue on a feature branch, do this on the private dev.gitlab.org server and update the VERSION and CHANGELOG
+1. Fix the issue on a feature branch, do this on the private GitLab development server and update the VERSION and CHANGELOG in this branch
 1. Consider creating and testing workarounds
 1. Create feature branches for the blog posts on GitLab.org and GitLab.com and link them from the code branch
-1. Merge the code feature branch
-1. Create a git tag vX.X.X for CE and another one for EE
+1. Merge the code feature branch into master
+1. Cherry-pick the code into the latest stable branch
+1. Create a git tag vX.X.X for CE and another patch release for EE
 1. Push the code and the tags to all the CE and EE repositories
+1. Apply the patch to GitLab Cloud and the private GitLab development server
 1. Merge and publish the blog posts
 1. Send tweets about the release from @gitlabhq and @git_lab
 1. Send out an email to the subscribers mailing list on MailChimp
@@ -27,13 +29,17 @@ Please report suspected security vulnerabilities in private to support@gitlab.co
 1. Post a signed copy of our complete announcement to [oss-security](http://www.openwall.com/lists/oss-security/) and request a CVE number
 1. Add the security researcher to the [Security Researcher Acknowledgments list](http://www.gitlab.com/vulnerability-acknowledgements/)
 1. Thank the security researcher in an email for their cooperation
-1. Update the blogposts and the CHANGELOG when we receive a CVE number
+1. Update the blogpost and the CHANGELOG when we receive the CVE number
+
+The timing of the code merge into master should be coordinated in advance.
+After the merge we strive to publish the announcements within 60 minutes.
 ## Blog post template
 XXX Security Advisory for GitLab
 A recently discovered critical vulnerability in GitLab allows [unauthenticated API access|remote code execution|unauthorized access to repositories|XXX|PICKSOMETHING]. All users should update GitLab and gitlab-shell immediately.
+We [have|haven't|XXX|PICKSOMETHING|] heard of this vulnerability being actively exploited.
 ### Version affected
@@ -19,7 +19,7 @@ class SnippetsFeature &lt; Spinach::FeatureSteps
   end
   And 'I click link "Destroy"' do
-    click_link "Destroy"
+    click_link "Remove"
   end
   And 'I submit new snippet "Personal snippet three"' do
@@ -46,7 +46,7 @@ class SnippetsFeature &lt; Spinach::FeatureSteps
   end
   And 'I uncheck "Private" checkbox' do
-    find(:xpath, "//input[@id='personal_snippet_private']").set true
+    choose "Public"
     click_button "Save"
   end
@@ -40,8 +40,7 @@ module API
       # Update existing file in repository
       #
       # Parameters:
-      #   file_name (required) - The name of new file. Ex. class.rb
-      #   file_path (optional) - The path to new file. Ex. lib/
+      #   file_path (optional) - The path to file. Ex. lib/class.rb
       #   branch_name (required) - The name of branch
       #   content (required) - File content
       #   commit_message (required) - Commit message
@@ -67,7 +66,36 @@ module API
           render_api_error!(result[:error], 400)
         end
       end
+
+      # Delete existing file in repository
+      #
+      # Parameters:
+      #   file_path (optional) - The path to file. Ex. lib/class.rb
+      #   branch_name (required) - The name of branch
+      #   content (required) - File content
+      #   commit_message (required) - Commit message
+      #
+      # Example Request:
+      #   DELETE /projects/:id/repository/files
+      #
+      delete ":id/repository/files" do
+        required_attributes! [:file_path, :branch_name, :commit_message]
+        attrs = attributes_for_keys [:file_path, :branch_name, :commit_message]
+        branch_name = attrs.delete(:branch_name)
+        file_path = attrs.delete(:file_path)
+        result = ::Files::DeleteContext.new(user_project, current_user, attrs, branch_name, file_path).execute
+
+        if result[:status] == :success
+          status(200)
+
+          {
+            file_path: file_path,
+            branch_name: branch_name
+          }
+        else
+          render_api_error!(result[:error], 400)
+        end
+      end
     end
   end
 end
-
@@ -31,6 +31,16 @@ module API
         present @projects, with: Entities::Project
       end
+      # Get all projects for admin user
+      #
+      # Example Request:
+      #   GET /projects/all
+      get '/all' do
+        authenticated_as_admin!
+        @projects = paginate Project
+        present @projects, with: Entities::Project
+      end
+
       # Get a single project
       #
       # Parameters:
@@ -0,0 +1,43 @@
+require_relative 'file_action'
+
+module Gitlab
+  module Satellite
+    class DeleteFileAction < FileAction
+      # Deletes file and creates a new commit for it
+      #
+      # Returns false if committing the change fails
+      # Returns false if pushing from the satellite to bare repo failed or was rejected
+      # Returns true otherwise
+      def commit!(content, commit_message)
+        in_locked_and_timed_satellite do |repo|
+          prepare_satellite!(repo)
+
+          # create target branch in satellite at the corresponding commit from bare repo
+          repo.git.checkout({raise: true, timeout: true, b: true}, ref, "origin/#{ref}")
+
+          # update the file in the satellite's working dir
+          file_path_in_satellite = File.join(repo.working_dir, file_path)
+          File.delete(file_path_in_satellite)
+
+          # add removed file
+          repo.remove(file_path_in_satellite)
+
+          # commit the changes
+          # will raise CommandFailed when commit fails
+          repo.git.commit(raise: true, timeout: true, a: true, m: commit_message)
+
+
+          # push commit back to bare repo
+          # will raise CommandFailed when push fails
+          repo.git.push({raise: true, timeout: true}, :origin, ref)
+
+          # everything worked
+          true
+        end
+      rescue Grit::Git::CommandFailed => ex
+        Gitlab::GitLogger.error(ex.message)
+        false
+      end
+    end
+  end
+end
@@ -8,13 +8,13 @@ module Gitlab
       #
       # Returns false if the ref has been updated while editing the file
       # Returns false if committing the change fails
-      # Returns false if pushing from the satellite to Gitolite failed or was rejected
+      # Returns false if pushing from the satellite to bare repo failed or was rejected
       # Returns true otherwise
       def commit!(content, commit_message)
         in_locked_and_timed_satellite do |repo|
           prepare_satellite!(repo)
-          # create target branch in satellite at the corresponding commit from Gitolite
+          # create target branch in satellite at the corresponding commit from bare repo
           repo.git.checkout({raise: true, timeout: true, b: true}, ref, "origin/#{ref}")
           # update the file in the satellite's working dir
@@ -26,7 +26,7 @@ module Gitlab
           repo.git.commit(raise: true, timeout: true, a: true, m: commit_message)
-          # push commit back to Gitolite
+          # push commit back to bare repo
           # will raise CommandFailed when push fails
           repo.git.push({raise: true, timeout: true}, :origin, ref)
@@ -7,13 +7,13 @@ module Gitlab
       #
       # Returns false if the ref has been updated while editing the file
       # Returns false if committing the change fails
-      # Returns false if pushing from the satellite to Gitolite failed or was rejected
+      # Returns false if pushing from the satellite to bare repo failed or was rejected
       # Returns true otherwise
       def commit!(content, commit_message)
         in_locked_and_timed_satellite do |repo|
           prepare_satellite!(repo)
-          # create target branch in satellite at the corresponding commit from Gitolite
+          # create target branch in satellite at the corresponding commit from bare repo
           repo.git.checkout({raise: true, timeout: true, b: true}, ref, "origin/#{ref}")
           # update the file in the satellite's working dir
@@ -28,7 +28,7 @@ module Gitlab
           repo.git.commit(raise: true, timeout: true, a: true, m: commit_message)
-          # push commit back to Gitolite
+          # push commit back to bare repo
           # will raise CommandFailed when push fails
           repo.git.push({raise: true, timeout: true}, :origin, ref)
@@ -28,7 +28,7 @@ module Gitlab
         in_locked_and_timed_satellite do |merge_repo|
           prepare_satellite!(merge_repo)
           if merge_in_satellite!(merge_repo)
-            # push merge back to Gitolite
+            # push merge back to bare repo
             # will raise CommandFailed when push fails
             merge_repo.git.push(default_options, :origin, merge_request.target_branch)
             # remove source branch
@@ -123,7 +123,7 @@ module Gitlab
         remotes.each { |name| repo.git.remote(default_options,'rm', name)}
       end
-      # Updates the satellite from Gitolite
+      # Updates the satellite from bare repo
       #
       # Note: this will only update remote branches (i.e. origin/*)
       def update_from_source!
@@ -78,4 +78,38 @@ describe API::API do
       response.status.should == 400
     end
   end
+
+  describe "DELETE /projects/:id/repository/files" do
+    let(:valid_params) {
+      {
+        file_path: 'spec/spec_helper.rb',
+        branch_name: 'master',
+        commit_message: 'Changed file'
+      }
+    }
+
+    it "should delete existing file in project repo" do
+      Gitlab::Satellite::DeleteFileAction.any_instance.stub(
+        commit!: true,
+      )
+
+      delete api("/projects/#{project.id}/repository/files", user), valid_params
+      response.status.should == 200
+      json_response['file_path'].should == 'spec/spec_helper.rb'
+    end
+
+    it "should return a 400 bad request if no params given" do
+      delete api("/projects/#{project.id}/repository/files", user)
+      response.status.should == 400
+    end
+
+    it "should return a 400 if satellite fails to create file" do
+      Gitlab::Satellite::DeleteFileAction.any_instance.stub(
+        commit!: false,
+      )
+
+      delete api("/projects/#{project.id}/repository/files", user), valid_params
+      response.status.should == 400
+    end
+  end
 end
@@ -36,6 +36,32 @@ describe API::API do
     end
   end
+  describe "GET /projects/all" do
+    context "when unauthenticated" do
+      it "should return authentication error" do
+        get api("/projects/all")
+        response.status.should == 401
+      end
+    end
+
+    context "when authenticated as regular user" do
+      it "should return authentication error" do
+        get api("/projects/all", user)
+        response.status.should == 403
+      end
+    end
+
+    context "when authenticated as admin" do
+      it "should return an array of all projects" do
+        get api("/projects/all", admin)
+        response.status.should == 200
+        json_response.should be_an Array
+        json_response.first['name'].should == project.name
+        json_response.first['owner']['email'].should == user.email
+      end
+    end
+  end
+
   describe "POST /projects" do
     context "maximum number of projects reached" do
       before do
	@@ -9,6 +9,7 @@ v 6.3.0		@@ -9,6 +9,7 @@ v 6.3.0
9	- Fixed issue with 500 error when group did not exist	9	- Fixed issue with 500 error when group did not exist
10	- Ability to leave project	10	- Ability to leave project
11	- You can create file in repo using UI	11	- You can create file in repo using UI
		12	+ - You can remove file from repo using UI
12	- API: dropped default_branch attribute from project during creation	13	- API: dropped default_branch attribute from project during creation
13	- Project default_branch is not stored in db any more. It takes from repo now.	14	- Project default_branch is not stored in db any more. It takes from repo now.
14	- Admin broadcast messages	15	- Admin broadcast messages
	@@ -16,8 +17,26 @@ v 6.3.0		@@ -16,8 +17,26 @@ v 6.3.0
16	- Dont show last push widget if user removed this branch	17	- Dont show last push widget if user removed this branch
17	- Fix 500 error for repos with newline in file name	18	- Fix 500 error for repos with newline in file name
18	- Extended html titles	19	- Extended html titles
19	- - API: create/update repo files	20	+ - API: create/update/delete repo files
20	- Admin can transfer project to any namespace	21	- Admin can transfer project to any namespace
		22	+ - API: projects/all for admin users
		23	+ - Fix recent branches order
		24	+
		25	+v 6.2.4
		26	+ - Security: Cast API private_token to string (CVE-2013-4580)
		27	+ - Security: Require gitlab-shell 1.7.8 (CVE-2013-4581, CVE-2013-4582, CVE-2013-4583)
		28	+ - Fix for Git SSH access for LDAP users
		29	+
		30	+v 6.2.3
		31	+ - Security: More protection against CVE-2013-4489
		32	+ - Security: Require gitlab-shell 1.7.4 (CVE-2013-4490, CVE-2013-4546)
		33	+ - Fix sidekiq rake tasks
		34	+
		35	+v 6.2.2
		36	+ - Security: Update gitlab_git (CVE-2013-4489)
		37	+
		38	+v 6.2.1
		39	+ - Security: Fix issue with generated passwords for new users
21		40
22	v 6.2.0	41	v 6.2.0
23	- Public project pages are now visible to everyone (files, issues, wik, etc.)	42	- Public project pages are now visible to everyone (files, issues, wik, etc.)
	@@ -104,6 +123,14 @@ v 6.0.0		@@ -104,6 +123,14 @@ v 6.0.0
104	- Improved MR comments logic	123	- Improved MR comments logic
105	- Render readme file for projects in public area	124	- Render readme file for projects in public area
106		125
		126	+v 5.4.2
		127	+ - Security: Cast API private_token to string (CVE-2013-4580)
		128	+ - Security: Require gitlab-shell 1.7.8 (CVE-2013-4581, CVE-2013-4582, CVE-2013-4583)
		129	+
		130	+v 5.4.1
		131	+ - Security: Fixes for CVE-2013-4489
		132	+ - Security: Require gitlab-shell 1.7.4 (CVE-2013-4490, CVE-2013-4546)
		133	+
107	v 5.4.0	134	v 5.4.0
108	- Ability to edit own comments	135	- Ability to edit own comments
109	- Documentation improvements	136	- Documentation improvements
	@@ -93,6 +93,12 @@ pre.well-pre {		@@ -93,6 +93,12 @@ pre.well-pre {
93	font-size: 12px;	93	font-size: 12px;
94	font-style: normal;	94	font-style: normal;
95	font-weight: normal;	95	font-weight: normal;
		96	+
		97	+ &.label-gray {
		98	+ background-color: #eee;
		99	+ color: #999;
		100	+ text-shadow: none;
		101	+ }
96	}	102	}
97		103
98	/ Big Labels /	104	/ Big Labels /
	@@ -3,6 +3,16 @@ form {		@@ -3,6 +3,16 @@ form {
3		3
4	label {	4	label {
5	@extend .control-label;	5	@extend .control-label;
		6	+
		7	+ &.radio-label {
		8	+ text-align: left;
		9	+ width: 100%;
		10	+ margin-left: 0;
		11	+
		12	+ input[type="radio"] {
		13	+ margin-top: 1px !important;
		14	+ }
		15	+ }
6	}	16	}
7	}	17	}
8		18
@@ -0,0 +1,38 @@		@@ -0,0 +1,38 @@
	1	+module Files
	2	+ class DeleteContext < BaseContext
	3	+ def execute
	4	+ allowed = if project.protected_branch?(ref)
	5	+ can?(current_user, :push_code_to_protected_branches, project)
	6	+ else
	7	+ can?(current_user, :push_code, project)
	8	+ end
	9	+
	10	+ unless allowed
	11	+ return error("You are not allowed to push into this branch")
	12	+ end
	13	+
	14	+ unless repository.branch_names.include?(ref)
	15	+ return error("You can only create files if you are on top of a branch")
	16	+ end
	17	+
	18	+ blob = repository.blob_at(ref, path)
	19	+
	20	+ unless blob
	21	+ return error("You can only edit text files")
	22	+ end
	23	+
	24	+ delete_file_action = Gitlab::Satellite::DeleteFileAction.new(current_user, project, ref, path)
	25	+
	26	+ deleted_successfully = delete_file_action.commit!(
	27	+ nil,
	28	+ params[:commit_message]
	29	+ )
	30	+
	31	+ if deleted_successfully
	32	+ success
	33	+ else
	34	+ error("Your changes could not be commited, because the file has been changed")
	35	+ end
	36	+ end
	37	+ end
	38	+end
	@@ -7,9 +7,30 @@ class Projects::BlobController < Projects::ApplicationController		@@ -7,9 +7,30 @@ class Projects::BlobController < Projects::ApplicationController
7	before_filter :authorize_code_access!	7	before_filter :authorize_code_access!
8	before_filter :require_non_empty_project	8	before_filter :require_non_empty_project
9		9
		10	+ before_filter :blob
		11	+
10	def show	12	def show
11	- @blob = @repository.blob_at(@commit.id, @path)	13	+ end
		14	+
		15	+ def destroy
		16	+ result = Files::DeleteContext.new(@project, current_user, params, @ref, @path).execute
		17	+
		18	+ if result[:status] == :success
		19	+ flash[:notice] = "Your changes have been successfully commited"
		20	+ redirect_to project_tree_path(@project, @ref)
		21	+ else
		22	+ flash[:alert] = result[:error]
		23	+ render :show
		24	+ end
		25	+ end
		26	+
		27	+ private
		28	+
		29	+ def blob
		30	+ @blob \|\|= @repository.blob_at(@commit.id, @path)
		31	+
		32	+ return not_found! unless @blob
12		33
13	- not_found! unless @blob	34	+ @blob
14	end	35	end
15	end	36	end
@@ -0,0 +1,19 @@		@@ -0,0 +1,19 @@
	1	+%div#modal-remove-blob.modal.hide
	2	+ .modal-header
	3	+ %a.close{href: "#", "data-dismiss" => "modal"} ×
	4	+ %h3.page-title Remove #{@blob.name}
	5	+ %p.light
	6	+ From branch
	7	+ %strong= @ref
	8	+
	9	+ .modal-body
	10	+ = form_tag project_blob_path(@project, @id), method: :delete do
	11	+ .control-group.commit_message-group
	12	+ = label_tag 'commit_message', class: "control-label" do
	13	+ Commit message
	14	+ .controls
	15	+ = text_area_tag 'commit_message', params[:commit_message], placeholder: "Removed this file because...", required: true, rows: 3
	16	+ .control-group
	17	+ .controls
	18	+ = submit_tag 'Remove file', class: 'btn btn-remove'
	19	+ = link_to "Cancel", '#', class: "btn btn-cancel", "data-dismiss" => "modal"
	@@ -2,3 +2,6 @@		@@ -2,3 +2,6 @@
2	= render 'shared/ref_switcher', destination: 'blob', path: @path	2	= render 'shared/ref_switcher', destination: 'blob', path: @path
3	%div#tree-holder.tree-holder	3	%div#tree-holder.tree-holder
4	= render 'blob', blob: @blob	4	= render 'blob', blob: @blob
		5	+
		6	+- if allowed_tree_edit?
		7	+ = render 'projects/blob/remove'
	@@ -3,7 +3,7 @@		@@ -3,7 +3,7 @@
3	= link_to reliable_snippet_path(snippet) do	3	= link_to reliable_snippet_path(snippet) do
4	= truncate(snippet.title, length: 60)	4	= truncate(snippet.title, length: 60)
5	- if snippet.private?	5	- if snippet.private?
6	- %span.label.label-success	6	+ %span.label.label-gray
7	%i.icon-lock	7	%i.icon-lock
8	private	8	private
9	%span.cgray.monospace.tiny.pull-right	9	%span.cgray.monospace.tiny.pull-right
	@@ -173,7 +173,7 @@ Gitlab::Application.routes.draw do		@@ -173,7 +173,7 @@ Gitlab::Application.routes.draw do
173	end	173	end
174		174
175	scope module: :projects do	175	scope module: :projects do
176	- resources :blob, only: [:show], constraints: {id: /.+/}	176	+ resources :blob, only: [:show, :destroy], constraints: {id: /.+/}
177	resources :raw, only: [:show], constraints: {id: /.+/}	177	resources :raw, only: [:show], constraints: {id: /.+/}
178	resources :tree, only: [:show], constraints: {id: /.+/, format: /(html\|js)/ }	178	resources :tree, only: [:show], constraints: {id: /.+/, format: /(html\|js)/ }
179	resources :edit_tree, only: [:show, :update], constraints: {id: /.+/}, path: 'edit'	179	resources :edit_tree, only: [:show, :update], constraints: {id: /.+/}, path: 'edit'
	@@ -2,7 +2,7 @@		@@ -2,7 +2,7 @@
2		2
3	### List projects	3	### List projects
4		4
5	-Get a list of projects owned by the authenticated user.	5	+Get a list of projects accessible by the authenticated user.
6		6
7	```	7	```
8	GET /projects	8	GET /projects
	@@ -82,6 +82,22 @@ GET /projects		@@ -82,6 +82,22 @@ GET /projects
82	```	82	```
83		83
84		84
		85	+#### List owned projects
		86	+
		87	+Get a list of projects owned by the authenticated user.
		88	+
		89	+```
		90	+GET /projects/owned
		91	+```
		92	+
		93	+#### List ALL projects
		94	+
		95	+Get a list of all GitLab projects (admin only).
		96	+
		97	+```
		98	+GET /projects/all
		99	+```
		100	+
85	### Get single project	101	### Get single project
86		102
87	Get a specific project, identified by project ID or NAMESPACE/PROJECT_NAME , which is owned by the authentication user.	103	Get a specific project, identified by project ID or NAMESPACE/PROJECT_NAME , which is owned by the authentication user.